Sandstorm: Missing logs and scan results for mail samples

Dear all,

i just updated to UTM 9.4 and recognized that the sandstorm componend does not have any log files, or am I missing something?

Additionally i cannot see any scan results under "Sandbox Activity" for files from email protection.

Regards

Basti

  • Hi Bastian,

    Since Sandstorm serves as a part of the malware scan process in Email Protection, you can find its related log entries in /var/log/smtp.log.

    Regarding your other question, since mails are treated as one coherent entity and releasing a single attachment is pointless, it was decided that files sent for Sandstorm scanning will not be displayed under Sandbox Activity page, but can be handled in the Mail Manager. This is further supported by the fact that while for files downloaded from web the source / IP can be easily determined and displayed, we can only show the connecting host for mails, which might differ from the original source.

    Niriel~

  • Hi Niriel,

    we are trying sandstorm on UTM 9.403-4. Sandstrom show one "Malicious" E-Mail on the status page for today. but when i search the smtp-log i only find one mail that has sent to sandbox and then was delivered to our mail-server, so i think it was clean.

    is there any way to find out the mail that was declared as "malicious" ?

    is there a explanation of the return codes in the web filter log ? sandbox="1", sandbox="2", sandbox="3" and so on.

    i hope you can help me to understand sandstorm :)

    Robert

  • Hi Robert,

    A mail can be evaluated as "malicious" in two scenarios:

    1. An attachment in the mail was sent for Sandstorm scanning and was deemed "malicious"
    2. An attachment in the mail was already cached by Sandstorm (the same attachment had already been sent / downloaded through the UTM) and the stored result was "malicious"

    In the first scenario, the mail will be put in the quarantine and you will be able to see it on the SMTP Quarantine tab in the Mail Manager with reason "Malware (Sandstorm)". You should also see similar log lines in the SMTP log:

    2016:06:15-12:03:40 xxxxxxxx smtpd[18301]: SCANNER[18301]: id="1004" severity="info" sys="SecureMail" sub="smtp" name="email pending" srcip="xx.xx.xx.xx" from="xxxxxx@xxxxxx" to="xxxxxx@xxxxxx" subject="test Wed, 15 Jun 2016 12:03:33 +0200" queueid="1bD7fg-0004lB-9t" size="37223" reason="sandbox" extra="Analyzing message content"
    ...
    2016:06:15-12:04:32 xxxxxxxx smtpd[5674]: SANDSTORM[5674]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="xx.xx.xx.xx" from="xxxxxx@xxxxxx" to="xxxxxx@xxxxxx" subject="test Wed, 15 Jun 2016 12:03:33 +0200" queueid="1bD7fg-0004lB-9t" size="37223" reason="av" extra="sandbox"

    In the second scenario, if the "Reject malware during SMTP transaction" option is turned on on the Email Protection > SMTP > Malware tab, the mail will be rejected during the SMTP transaction with "550 Sandstorm cached". If this happened, you should see something like this in the SMTP log:

    2016:06:15-12:04:54 xxxxxxxx exim-in[18750]: 2016-06-15 12:04:54 1bD7gs-0004sQ-18 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="xx.xx.xx.xx" from="xxxxxx@xxxxxx" to="xxxxxx@xxxxxx" subject="test Wed, 15 Jun 2016 12:04:54 +0200" queueid="1bD7gs-0004sQ-18" size="37567" reason="av" extra="Sandstorm cached"
    2016:06:15-12:04:54 xxxxxxxx exim-in[18750]: [1\16] 2016-06-15 12:04:54 1bD7gs-0004sQ-18 H=(xxxxxxxxxx) [xx.xx.xx.xx]:42582 F=<xxxxxx@xxxxxx> rejected after DATA: Malware found: Sandstorm cached
    ...
    2016:06:15-12:04:54 xxxxxxxx exim-in[18750]: 2016-06-15 12:04:54 1bD7gs-0004sQ-18 SMTP connection from (xxxxxxxxxx) [xx.xx.xx.xx]:42582 closed by DROP in ACL

    In the second scenario, if the "Reject malware during SMTP transaction" option is turned off, the mail will be dealt with according to the "Malware action" set on the same tab and will result in a quarantine / blackhole entry in the log, with reason="av" extra="Sandstorm cached", so either of these:

    2016:06:15-12:05:40 xxxxxxxx smtpd[27157]: SCANNER[27157]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="xx.xx.xx.xx" from="xxxxxx@xxxxxx" to="xxxxxx@xxxxxx" subject="test Wed, 15 Jun 2016 12:05:30 +0200" queueid="1bD8IO-000741-8G" size="37223" reason="av" extra="Sandstorm cached"
    2016:06:15-12:05:57 xxxxxxxx smtpd[27157]: SCANNER[27157]: id="1002" severity="info" sys="SecureMail" sub="smtp" name="email blackholed" srcip="xx.xx.xx.xx" from="xxxxxx@xxxxxx" to="xxxxxx@xxxxxx" subject="test Wed, 15 Jun 2016 12:05:55 +0200" queueid="1bD8If-000741-E3" size="37223" reason="av" extra="Sandstorm cached"

    In all cases, the mails should show up on the SMTP Log tab in the Mail Manager, with "Quarantined: Malware (Sandstorm)", "Rejected: Malware (Sandstorm cached)", "Quarantined: Malware (Sandstorm cached)" or "Blackholed: Malware (Sandstorm cached)", respectively.

    Regarding your other question, while I'm unfortunately not entirely familiar with the Web Filter logging, what I could gather is that probably sandbox="4" means "clean", sandbox="-3" means "malicious" and sandbox="-4" means that there was an error during the Sandstorm scan. If you're not quite convinced by this and/or encountered any other return codes, I suggest you to take this question to the Web forum or contact support. :)

    Kind regards,
    Niriel~